What are the career paths in the computer security field?

Begin your training and certifications now with CED Solutions Security Courses! www.cedsolutions.com (800) 611-1840

cloud-security-key (1)As niche as “security” seems, it actually encompasses a few main types of roles, and a couple of areas of coverage.

These are actually quite different…

Common roles:

  • Enterprise IT security department
    These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP.
  • Security team in development group (either in enterprise or in dev shops)
    Mostly deal with programmer education and training, some security testing (or handling external testing, see below) – this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc.
  • External consultant / auditor / security tester
    This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice…. therefore usually expected (though not necessarily the case 😉 ) to be more up to date than anyone else.
  • Researcher
    This can include academic level research, such as cryptologists, and also research departments in some of the larger security vendors, researching and searching for new exploits / viruses / attacks / flaws / mitigation models / etc. These can actually be quite different, vendor research is often treated as product development, whereas academic research – well, I can’t really speak to that, since I don’t know…

Likewise, in all the above there are different areas of expertise, and an expert in one won’t necessarily have anything intelligent to say in any other area:

  • Network security, e.g. routers, firewall, network segmentation and architecture, etc.
  • O/S security, which is of course further subdivided according to O/S flavor (i.e. Windows security expert and Linux security experts might not know much about each other’s stuff).
  • Application security – i.e. how to program securely (which may be necessary to subdivide according to language, technology, etc.), but also application-layer attacks, e.g. Web attacks, etc.
  • Risk management experts – more focused on the business side, less on the technical
  • Compliance officers – some places have these dedicated, and they’re experts on all the relevant regulations and such (note that this is borderline lawyer-like work!)
  • Identity architects – for larger, security conscious orgs, that have complex IdM implementations and the like…
  • Auditing and forensics experts, deal mainly with SIEM/SIM/SOC, and also with investigations after the fact.

On top of that, there are some that specialize in building the secure systems (at each level of the stack), and some that spend their time breaking them – and it is not always shared expertise.

There are probably even more niche-niches that I’m skipping over, but you’re starting to get the picture…. As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work, and the systems which they work on. Most often, this DOES require shifting several hats, and working mostly on short tasks… BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization’s current security posture.

As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You’re currently a systems administrator? Wonderful, you’ve probably worked a bit on security already, start learning more in that field.
You’ve been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc… Learn some more, figure out what you’re missing, and then give me a call ;-).
And so on… On the other hand, if you have no background and want to START in security, that’s tougher – because as I’ve explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there… The important part is to focus on risk management (and, for the technical, threat modeling).

I also strongly suggest reading lots of security books and blogs (I enjoy Bruce Schneier’s stuff), and also try out OWASP for the application side of things.


Protect your systems and networks with the knowledge gained from the new Cisco Course: Cyber Security Specialist (Feb 23rd to Feb 27th); ISC2 Official CISSP course (Mar 16th to Mar 21st) and attend our Security Certified Ethical Hacking course (Mar 23rd to Mar 27th), our ( Computer Hacking Forensics Investigator course (Mar 30th to Apr 3rd) and Security ESCA/LPT course (May 11th to May 15th) !  (800) 611-1840

www.cedsolutions.com, info@cedsolutions.com

Share this post